BITSCTF – Tom and Jerry (50 points)

I have a little time to join on BITSCTF with my team defconUA and want to put some writeup on one of the task i was working. They give us a pcapng named ‘Cat.pcapng’. Ok, challenge name is “Tom and Jerry” and all the things we see inside pcap is related with input devices. First thing we must check is what kind of device had been recorded on the pcap.

From here we need what are those captured data bits and what’s the meaning of. Mainly we have packets of 73 and 64 bytes length. 64 bytes ones are just confirmation of previous operation, so we can filter becuase there are nothing interesting there. But first, will apply as column “Leftover Captured Data” and see on the main packet window.

Apply as Column option over Leftover Data Captured

Now filter all non interesting packets commented previously. This can be done with simply line on wireshark.

((usb.transfer_type == 0x01) && (frame.len == 73))

We can ‘save as’ Cat_filtered.pcapng and work with tshark from here. But the important thing is understand how are involved those hex-bytes of captured data. Thanks to the help of teammate he points me how it works. Let’s see.

First tries were frustrated because little endian representation. We need to extract positions 3,4 for X and 5,6 for Y but first we must somehow swap those bytes. So first, filter with awk magic interesting data:

awk -F: '{x=$3$4;y=$5$6}$1=="02"{print x,y}' cat.txt>hex

Then, apply swap bytes with a little help of python. This was my first try:

Then just write a file with data on X and Y and try to plot with gnuplot:

$ python le.py > data.txt
$ gnuplot
$ plot "data.txt"

This was the result with mirrored effect. Clearly was something that could be a flag, but i was made an important misstake. I have to take care about of third variable: pressure. With this information and help of teammates things could be clear. Pressure was the ‘z’ coord on the new python script. So include this thing on hex data with awk and rewrite python script.